Guide to secure age verification
As online age verification has become the norm in more and more industries — from social media to adult entertainment to online gaming, marketplaces, and everything in between — many businesses have had to rethink their approach to the process.
Gone are the days when all a user needed was to complete a simple age gate or self attestation. Today, companies have many more robust options to choose from, including government ID checks, database verification, and even age estimation based on selfie verification.
The good news? All of these systems have been proven to be effective in verifying users’ ages at acceptable assurance levels.
The bad news? Most also require a company to collect and store sensitive information about their users — names, contact information, birthdates, government IDs, and selfies. This opens up a new arena of risk: Data privacy and security.
Simply put, if they’re going to verify users’ ages, businesses must also have measures in place to protect any customer data they collected. Failure to do so can lead to potential regulatory action, in addition to damaged customer trust and brand reputation
Below, we offer a brief refresher on how age verification works and the technologies that underlie it. We also discuss why it’s so important for businesses to have a secure solution in place, and provide a number of best practices that you can use to keep your age verification strategy secure.
How does online age verification work?
Age verification is the process of verifying that a person is old enough to access age-restricted products, services, or content. Businesses are generally obligated to check users’ ages before providing access to content meant for specific age groups.
Online age verification can take a few different shapes. Often, it involves one or multiple of the methods below:
Government ID verification
With government ID verification, the user is prompted to use their device’s camera to take a photo of their government-issued ID. This can be a driver’s license, passport, residency card, or other ID. The ID is then analyzed for authenticity. Finally, the date of birth contained within the ID is extracted and cross-checked against information submitted by the user.
Database verification
With database verification, the user provides some combination of identifying information about themselves. In addition to date of birth, this will often include their name, contact information (phone number and email), and address. The information is then compared against a third-party database for accuracy.
Selfie verification
With selfie verification, the user is prompted to capture and upload one or multiple selfies. Artificial intelligence (AI) then reviews the images to assess their age with a reliable level of accuracy. The selfie may also be checked for signs of tampering or AI generation.
A combination approach
As noted above, each of the methods above has its strengths and weaknesses. That’s why multiple methods are often used together to increase assurance.
Let’s say, for example, that you require a user to verify their age by uploading a photo of their government ID. How do you know that a child didn’t steal their parent’s ID in order to access your website, or use generative AI to create a realistic fake?
Requiring the user to submit a selfie along with their ID allows you to compare the selfie against the portrait in the ID, which can help you weed out the first scenario. Meanwhile, pairing government ID verification with database verification empowers you to confirm that the information in the ID is accurate, addressing the second.
Why does data security matter when it comes to age verification?
Data security matters in digital age verification because it protects users' sensitive personal information from fraud and misuse.
In order to verify a user’s age, businesses must collect personally identifiable information (PII) about that user. Unfortunately, this PII is a valuable target for fraudsters, who can use it to steal a user’s identity, conduct synthetic identity fraud, or engage in other crimes.
Failure to adequately protect this sensitive data from inappropriate access can have serious negative impacts on your business, ranging from regulatory action to diminished customer trust.
For compliance with industry-specific regulations
When it comes to secure age verification, regulations are a double-edged sword. Some industry-specific regulations require businesses to verify users’ ages and establish children’s right to use online platforms. At the same time, a global patchwork of kids' online privacy laws limits how businesses can collect and use data from minors — and imposes strict requirements on how that data must be protected once collected.
Some important data protection regulations you should keep in mind while designing your online age verification strategy include:
Colorado Privacy Act (CPA)
Virginia Consumer Data Protection Act (VCDPA)
Brazil General Data Protection Act or Lei Geral de Proteção de Dados (LGPD)
UK General Data Protection Regulation (UK GDPR)
UK Data Protection Act 2018
Australian Privacy Act
Penalties for non-compliance vary significantly but often range from a few hundred to a few thousand dollars per instance.
To enhance customer trust in your business
Do you operate in a jurisdiction free of data privacy regulations? That doesn’t mean you’re in the clear.
Even in the absence of regulatory pressure to safeguard customer data, you should still prioritize consumer trust and brand reputation, such as by establishing a dedicated trust and safety team.
When a user discovers that their data privacy has been breached, it can cause serious and immediate damage to the customer trust you’ve spent years building. This loss of trust can make your users rethink whether they want to continue doing business with you… and might even send them to your competitors. This is especially true when children’s data is involved.
Best practices for age-based verification in the digital era
If you have a goal of achieving secure age verification for your business — and really, you should! — that goal should inform your entire strategy, from the moment you select a solution through final deployment. Here are four best practices that can help:
1. Only collect and store what you need
As a rule of thumb, businesses should aim to collect and store the minimum amount of customer information they need to establish a user’s age at the required assurance level — a concept known as data minimization. (The same is true for businesses performing verification of any kind.)
The reason for this is two-fold:
First, keeping data collection to a minimum allows you to minimize the threats associated with a data breach. The less PII you collect and store, the less of a target you are to fraudsters — and the less damage those fraudsters can realize if they breach your systems.
Second, minimizing how much data and evidence you collect during age-based verification helps you minimize user friction. This helps reduce the risk of drop-offs or failed conversions.
Learn more about how Persona’s Workflows empower you to tailor your age verification approach to minimize unnecessary data collection.
2. Follow data encryption best practices
During both the collection and storage of user data, it’s critical to follow encryption best practices to ensure that it’s as secure as possible. This includes:
Encrypting all web traffic using HTTPS, not the less secure HTTP protocol
Securing stored user data with AES-256 encryption, and storing decryption keys separately with regular key rotation
Implementing strong identity access management and internal controls to prevent unauthorized access by employees and contractors
When selecting an age verification system, you should choose a partner that is certified to whatever security and privacy standards matter most to your industry, whether that is SOC 2, NIST SP 800-63, ACCS, or another standard.
Learn more about the steps Persona takes to secure and protect your users’ data and privacy.
3. Offer multiple online age verification options
Some privacy-conscious users may not be comfortable providing certain information or evidence for online age verification, such as a government ID.
Likewise, some regulations that require online platforms to perform age verification — such as the Australian social media ban — require organizations to offer multiple age verification options in case users don’t have a certain type of ID. In these instances, you may be able to keep conversions high by offering other verification options users can choose from.
Another option? Default to the age verification method that introduces the least friction, which typically involves the least data collection. Then, based on the risk signals you detect, you can step up verification with additional friction for users where more assurance is required.
Learn more about how Persona’s Dynamic Flow powers a smarter age verification strategy by assessing user risk in real time.
4. Work with an age verification provider who will securely store PII for you
One final solution to the problem of data security: offload the challenge completely by selecting an age verification provider that will handle PII storage so you don’t have to.
When you don’t store user PII directly within your systems, you don’t carry the liability that comes with data leaks or breaches. This empowers you to focus on what you do best — providing a pleasant experience to your users — without needing to worry about the specifics of data security.
Learn more about how Persona’s PII Accounts can handle information storage for you.
How Persona can help you achieve secure age verification checks
Here at Persona, data privacy and security aren’t an afterthought — they’re an integral part of our age verification solution. That’s why we adhere to the highest industry standards, including:
HIPAA
FERPA
CCPA
GDPR
AICPA SOC 2
ISO 27001
NIST 800-63 rev.3
and more
Our flexible platform allows you to build the exact verification flow your business requires, giving you complete control over what information and evidence you collect. Rest easy knowing that we’ll handle PII storage for you and that every piece of data passing through our systems is encrypted to the highest industry standards.
Skeptical? You don’t have to take our word for it. We routinely participate in certification programs and evaluations offered by trusted third parties, including the Age Check Certification Scheme (ACCS), Germany’s KJM, iBeta, and more.
Ready to see how Persona can help you get secure age verification right? Contact us to learn more or get started for free.
FAQs
How safe is age verification?
Toggle description visibility
The security of an age verification strategy depends on the specific context in which it’s implemented. Implemented correctly, user data can be incredibly secure; implemented poorly and without the proper safeguards in place, user data may be at risk.
Some ways you can make your age verification strategy safer and more secure include:
Practicing data minimization, where you only collect as much data as you need to verify a user’s age — and no more
Following the data encryption best practices that matter most to your industry and organization
Selecting an age verification solution capable of collecting, handling, and securely storing PII for you
How does age verification work online?
Toggle description visibility
Age verification works by collecting and validating information to confirm whether a user meets the minimum age requirement to access a given platform, service, or piece of content.
In practice, this can be done in several ways, depending on the level of assurance needed. Common approaches include:
Credit card verification: A user enters their credit card information, which is then validated. Because most countries do not allow minors to have their own credit card, this can sometimes serve as an indirect means of age verification, though it offers low assurance.
Age estimation: A user is prompted to take a selfie, which is then analyzed by various AI models to determine whether the user is likely to be a minor or an adult.
Government ID verification: A user is prompted to take a photo of their government-issued ID, which is then analyzed for authenticity. The user is then prompted to take a selfie, which is compared against the photo in the ID to ensure that it wasn’t stolen or manipulated.
What is the best way to verify age online?
Toggle description visibility
There is no one single best method for verifying a user’s age online. What works for one business or industry may not work for another. The best age verification solution for you is the one that empowers you to comply with whatever laws or regulations you are subject to — while remaining flexible enough to help you meet your risk and conversion goals.
What types of websites and apps have age restrictions?
Toggle description visibility
Which websites and apps are subject to age verification requirements depends on the jurisdictions in which they operate — and whether those governments have adopted age verification regulations. For example, under the UK’s Online Safety Act, social media platforms and sites in the United Kingdom that host pornographic content are required to implement robust age verification systems.
Industries that are increasingly subject to age restrictions include:
Social media platforms
Platforms hosting adult content, such as pornography sites
Online gambling and gaming platforms
Online alcohol and tobacco retailers
Other online marketplaces
How does Persona’s age verification solution work?
Toggle description visibility
Persona’s age verification solution is flexible, allowing you to design and build the strategy that makes most sense for your business — whether that involves:
Government ID verification
Database verification
Selfie verification
A mix of all three
Leverage Dynamic Flow to reach the assurance levels required while controlling friction without compromising conversions.